All, Deniz gave me the solution. I tested it and it works great. Thanks. cisco4ng. P.S. by the way, the shell in "root" account in SPLAT is already in bash. I didn't have to do anything with the /etc/passwd file.
Deniz Cevik <[EMAIL PROTECTED]> wrote: in order to use scp in secureplatform, you need to put scp users into /etc/scpusers echo > /etc/scpusers if the file exists echo >> /etc/scpusers Also you need to change shell of the scp user from cpshell to tcsh. BR. cisco4ng Sent by: Mailing list for discussion of Firewall-1 02.08.2005 19:09 Please respond to Mailing list for discussion of Firewall-1 To [email protected] cc Subject [FW-1] scp (aka Secure Copy) in SPLAT with RSA key authentication All, I have an automate script that backup the configuration of my SPLAT enforcement module nightly at 11:30pm. This automate script run "upgrade_export" and also copy the /etc/sysconfig/cpnetstart file into a local directory that I create on the enforcement module, called /var/monitor/fwuser/backups. That part is working fine. At 12am each night, I have another script on my Linux machine that will copy these files from the enforcement module and store them on my linux machine. I put the id_rsa.pub key of my linux machine into the /root/.ssh/authorized_keys of the SPLAT box. After that, I can ssh into the SPLAT box via RSA key just fine. However, everytime when I tried to do "scp" and grab the file from the SPLAT back to my Linux box, the connection seems to be OK but I am not getting any files. Does ssh in SLAT support "scp"? It seems like like it is not working for me. Please help. Working for ssh: [EMAIL PROTECTED] admin]$ ssh -v -l root 192.168.15.2 OpenSSH_3.5p1, SSH protocols 1.5/2.0, OpenSSL 0x0090701f debug1: Reading configuration data /etc/ssh/ssh_config debug1: Applying options for * debug1: Rhosts Authentication disabled, originating port will not be trusted. debug1: ssh_connect: needpriv 0 debug1: Connecting to 192.168.15.2 [192.168.15.2] port 22. debug1: Connection established. debug1: identity file /home/admin/.ssh/identity type -1 debug1: identity file /home/admin/.ssh/id_rsa type 1 debug1: identity file /home/admin/.ssh/id_dsa type -1 debug1: Remote protocol version 1.99, remote software version OpenSSH_3.5p1 debug1: match: OpenSSH_3.5p1 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_3.5p1 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: server->client aes128-cbc hmac-md5 none debug1: kex: client->server aes128-cbc hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug1: dh_gen_key: priv key bits set: 119/256 debug1: bits set: 1618/3191 debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug1: Host '192.168.15.2' is known and matches the RSA host key. debug1: Found key in /home/admin/.ssh/known_hosts:1 debug1: bits set: 1613/3191 debug1: ssh_rsa_verify: signature correct debug1: kex_derive_keys debug1: newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: waiting for SSH2_MSG_NEWKEYS debug1: newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: done: ssh_kex2. debug1: send SSH2_MSG_SERVICE_REQUEST debug1: service_accept: ssh-userauth debug1: got SSH2_MSG_SERVICE_ACCEPT debug1: authentications that can continue: publickey,password,keyboard-interactive debug1: next auth method to try is publickey debug1: try privkey: /home/admin/.ssh/identity debug1: try pubkey: /home/admin/.ssh/id_rsa debug1: input_userauth_pk_ok: pkalg ssh-rsa blen 149 lastkey 0x808b9d0 hint 1 debug1: read PEM private key done: type RSA debug1: ssh-userauth2 successful: method publickey debug1: channel 0: new [client-session] debug1: send channel open 0 debug1: Entering interactive session. debug1: ssh_session2_setup: id 0 debug1: channel request 0: pty-req debug1: Requesting X11 forwarding with authentication spoofing. debug1: channel request 0: x11-req debug1: channel request 0: shell debug1: fd 3 setting TCP_NODELAY debug1: channel 0: open confirm rwindow 0 rmax 32768 Last login: Tue Aug 2 12:00:10 2005 from 192.168.15.100 [EMAIL PROTECTED] Not working for scp: [EMAIL PROTECTED] admin]$ scp -v [EMAIL PROTECTED]:/var/monitor/fwuser/scripts/cpnetstart* . Executing: program /usr/bin/ssh host 192.168.15.2, user root, command scp -v -f /var/monitor/fwuser/scripts/cpnetstart* OpenSSH_3.5p1, SSH protocols 1.5/2.0, OpenSSL 0x0090701f debug1: Reading configuration data /etc/ssh/ssh_config debug1: Applying options for * debug1: Rhosts Authentication disabled, originating port will not be trusted. debug1: ssh_connect: needpriv 0 debug1: Connecting to 192.168.15.2 [192.168.15.2] port 22. debug1: Connection established. debug1: identity file /home/admin/.ssh/identity type -1 debug1: identity file /home/admin/.ssh/id_rsa type 1 debug1: identity file /home/admin/.ssh/id_dsa type -1 debug1: Remote protocol version 1.99, remote software version OpenSSH_3.5p1 debug1: match: OpenSSH_3.5p1 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_3.5p1 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: server->client aes128-cbc hmac-md5 none debug1: kex: client->server aes128-cbc hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug1: dh_gen_key: priv key bits set: 134/256 debug1: bits set: 1637/3191 debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug1: Host '192.168.15.2' is known and matches the RSA host key. debug1: Found key in /home/admin/.ssh/known_hosts:1 debug1: bits set: 1517/3191 debug1: ssh_rsa_verify: signature correct debug1: kex_derive_keys debug1: newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: waiting for SSH2_MSG_NEWKEYS debug1: newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: done: ssh_kex2. debug1: send SSH2_MSG_SERVICE_REQUEST debug1: service_accept: ssh-userauth debug1: got SSH2_MSG_SERVICE_ACCEPT debug1: authentications that can continue: publickey,password,keyboard-interactive debug1: next auth method to try is publickey debug1: try privkey: /home/admin/.ssh/identity debug1: try pubkey: /home/admin/.ssh/id_rsa debug1: input_userauth_pk_ok: pkalg ssh-rsa blen 149 lastkey 0x808b9d0 hint 1 debug1: read PEM private key done: type RSA debug1: ssh-userauth2 successful: method publickey debug1: fd 4 setting O_NONBLOCK debug1: fd 5 setting O_NONBLOCK debug1: channel 0: new [client-session] debug1: send channel open 0 debug1: Entering interactive session. debug1: ssh_session2_setup: id 0 debug1: Sending command: scp -v -f /var/monitor/fwuser/scripts/cpnetstart* debug1: channel request 0: exec debug1: channel 0: open confirm rwindow 0 rmax 32768 debug1: client_input_channel_req: channel 0 rtype exit-status reply 0 debug1: channel 0: rcvd eof debug1: channel 0: output open -> drain debug1: channel 0: obuf empty debug1: channel 0: close_write debug1: channel 0: output drain -> closed debug1: channel 0: rcvd close debug1: channel 0: close_read debug1: channel 0: input open -> closed debug1: channel 0: almost dead debug1: channel 0: gc: notify user debug1: channel 0: gc: user detached debug1: channel 0: send close debug1: channel 0: is dead debug1: channel 0: garbage collecting debug1: channel_free: channel 0: client-session, nchannels 1 debug1: fd 0 clearing O_NONBLOCK debug1: fd 1 clearing O_NONBLOCK debug1: Transferred: stdin 0, stdout 0, stderr 0 bytes in 0.0 seconds debug1: Bytes per second: stdin 0.0, stdout 0.0, stderr 0.0 debug1: Exit status 1 [EMAIL PROTECTED] admin]$ --------------------------------- Start your day with Yahoo! - make it your home page __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
